If you have landed here I hope you are looking at starting your training with Damn Vulnerable Web App. I am excited for you as you have so much to learn. I hope it means that you are considering a career in Cyber Security, and that this post will save you a few hours of frustration, and get you to the fun bits quicker.
You are going to need access to tools and access to targets so you can explore legally and for free. This post is about getting you to setup two things which will simply provide you with first the tools and then the targets easily:
- Kali Linux – the goto distribution of choice for penetration testers at all parts of their careers. A Debian base with repositories that contain all of the most common “hacking” tools.
- Docker – I risk offending people with my simplistic definition here. I think of this as a lightweight virtual machine. Really it is a “container” which can include an entire ecosystem.We can use this to clone down vulnerable targets to play with quickly which will run inside our Kali. This will provide the targets.
In this post I will cover setting things up by providing links to the appropriate guides. By the end you will have access to Damn Vulnerable Web App (DVWA) which you can start targeting immediately!
Pre-Amble
The simplest way to interact with Kali Linux for most readers will be to use virtualisation.
- Install vmware player or virtual box. I prefer vmware Player and so the rest of this guide assumes you are using this. Sorry folks.
- Download Kali ISO and build a virtual machine.
- Boot and log into Kali with the credentials you created.
If all is going well you have a new OS with a fresh desktop environment.
Setup VMWare Tools
Before you go too far you are going to want to setup “VMWare Tools”. This will allow you to copy/paste between your host and guest machine as well as smooth out lots of bumps.
Fortunately there is an easy to follow and official guide here:
http://docs.kali.org/general-use/install-vmware-tools-kali-guest
By the end of this you should have a more useful virtual machine.
Setup Docker (the Lazy way)
To me docker is not that easy to setup. As Kali is Debian based you may assume that it is simply “apt-get install docker”. This is not the case and a major reason for me writing this post is to make sure you can get Docker into Kali as easily as possible.
The following script was made by some genius called “apolloclark” on Github:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # update apt-get | |
| export DEBIAN_FRONTEND="noninteractive" | |
| sudo apt-get update | |
| # remove previously installed Docker | |
| sudo apt-get purge lxc-docker* | |
| sudo apt-get purge docker.io* | |
| # add Docker repo | |
| sudo apt-get install -y apt-transport-https ca-certificates | |
| sudo apt-key adv –keyserver hkp://p80.pool.sks-keyservers.net:80 –recv-keys 58118E89F3A912897C070ADBF76221572C52609D | |
| cat > /etc/apt/sources.list.d/docker.list <<'EOF' | |
| deb https://apt.dockerproject.org/repo debian-stretch main | |
| EOF | |
| sudo apt-get update | |
| # install Docker | |
| sudo apt-get install -y docker-engine | |
| sudo service docker start | |
| sudo docker run hello-world | |
| # configure Docker user group permissions | |
| sudo groupadd docker | |
| sudo gpasswd -a ${USER} docker | |
| sudo service docker restart | |
| # set Docker to auto-launch on startup | |
| sudo systemctl enable docker |
Save this script to a file on your desktop called “getdocker.sh”. Then execute that in a terminal by first “chmod +x getdocker.sh” and then “./getdocker.sh”. This will install docker for you.
I am not going to explain how to actually use docker in the general cases. So you probably want to eventually get round to reading this:
https://docs.docker.com/engine/getstarted/
You can skip reading tutorials for Docker right now if you just want to focus on DVWA as soon as possible.
Getting DVWA and Running it
Various people have made docker containers which contain DVWA. At the time of writing the top hit on Google was made by another rockstar called “infoslack”. Open the following URL to see the details:
https://github.com/infoslack/docker-dvwa
The following commands are all you would need to execute:
docker pull infoslack/dvwa docker run -d -p 80:80 infoslack/dvwa
At this point you can access DVWA on localhost port 80.
Check that you are ready
Open this URL in the browser within Kali:
As you have not configured your server yet it will ask you to setup your database:
If you click on “Create / Reset Database” button then you will complete the setup. This will take you to a login page. Enter “admin” and “password” to login.
This will present you with the full interface which will include a long list of options down the left. By default your DVWA install will be set to “Impossible” level of difficulty. You should be unable to exploit any of the vulnerabilities because the code is not designed to be vulnerable at this level.
Click on “DVWA Security” and then alter the drop down from “Impossible” to low and click “Submit”.
At this point you can click on links on the left to load specific vulnerable exercises.
Play safe.
cornerpirate.com 